Secret Ponchos - Valve
Play Secret Ponchos for FREE starting now through Sunday at 1PM Pacific Time. You can also pickup Secret Ponchos at 50% off the regular price!*

Secret Ponchos is a beautiful but deadly competitive PvP fighting game set in a stylish Spaghetti Western universe. The isometric gameplay is team based and unlike any fighting game or MOBA you've played before. Combat is fast-paced, precise and merciless, resulting in a competitive environment where skills matter. There is no auto-attacking or hand-holding – every shot is a skill-shot!

If you already have Steam installed, click here to install or play Secret Ponchos. If you don't have Steam, you can download it here.

*Offer ends Monday at 10AM Pacific Time
Lethal League - Valve
Today's Deal: Save 66% on Lethal League!*

Look for the deals each day on the front page of Steam. Or follow us on twitter or Facebook for instant notifications wherever you are!

*Offer ends Wednesday at 10AM Pacific Time
Announcement - Valve
Today's Deal: Save 50% on Deadpool!*

Look for the deals each day on the front page of Steam. Or follow us on twitter or Facebook for instant notifications wherever you are!

*Offer ends Tuesday at 10AM Pacific Time
Double Fine Adventure - Valve
Today's Deal: Save 80% on Double Fine Bundle 2015!*

Look for the deals each day on the front page of Steam. Or follow us on twitter or Facebook for instant notifications wherever you are!

*Offer ends Sunday at 10AM Pacific Time
Killing Floor 2 - Valve
Play Killing Floor 2 for FREE starting now through Sunday at 1PM Pacific Time. You can also pickup Killing Floor 2 at 33% off the regular price!*

If you already have Steam installed, click here to install or play Killing Floor 2. If you don't have Steam, you can download it here.

Killing Floor 2 is the successor to the ridiculously fun and successful original title, that was released in 2009. We released Killing Floor 2 on Steam via Early Access in April 2015 and over the last 7 months have rolled out 3 massive content updates as we get closer and closer to the final release.

In KILLING FLOOR 2 players descend into continental Europe where the outbreak caused by Horzine Biotech’s failed experiment has quickly spread and gained unstoppable momentum, essentially paralyzing the European Union. Just one month after the conclusion of the events in the original KILLING FLOOR, the specimen clones are everywhere and civilization is in disarray; communications have failed, governments have collapsed, and military forces have been systematically eradicated. The people of Europe know survival and self-preservation too well and lucky survivors have gone into hiding.

Not all have given up hope though... A group of civilians and mercenaries have banded together, paid for by Horzine, to combat the outbreak and established privately funded operation bases across Europe. Upon tracking specimen clone outbreaks, players will descend into zed-laden hot zones and exterminate them.

*Offer ends Monday at 10AM Pacific Time
NEKOPARA Vol. 1 - Valve
Today's Deal: Save 50% on NEKOPARA Vol. 1!*

Look for the deals each day on the front page of Steam. Or follow us on twitter or Facebook for instant notifications wherever you are!

*Offer ends Saturday at 10AM Pacific Time
Dyscourse - Valve
Today's Deal: Save 65% on Dyscourse!*

Look for the deals each day on the front page of Steam. Or follow us on twitter or Facebook for instant notifications wherever you are!

*Offer ends Friday at 10AM Pacific Time
Dec 9, 2015
Announcement - Valve
Recently we've seen the community have a good discussion about the pros and cons of trade holds. We thought we'd walk through how we decided to implement them, in the hopes that it helps you understand why they're absolutely necessary.









Compromised accounts and item theft


Account theft has been around since Steam began, but with the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users. Having your account stolen, and your items traded away, is a terrible experience, and we hated that it was becoming more common for our customers.

Once an account was compromised, the items would be quickly cleaned out. They'd then be traded again and again, eventually being sold to an innocent user. Looking at their account activity, it wasn't too hard to figure out what happened, but undoing it was harder because we don't want to take things away from innocent users. We decided to err on the side of protecting them: we left the stolen goods, and we created duplicates on the original compromised account to replace them. We were fully aware of the tradeoff here. Duplicating the stolen items devalues all the other equivalent items in the economy. This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence.



The number of hijacked accounts continues to grow


This was an unacceptable status quo and we needed to address it. In revisiting our strategy to stop it, we found two things of note.

First, enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers. Second, practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker's time. Essentially all Steam accounts are now targets.

The "I got hacked" story is told so frequently it's become commonplace. And that makes it easy to forget its significance; compromised security of email accounts and PCs, Steam account violation, and theft. We used to hold the opinion that if you were smart about account security, you'd be protected--it's easy to assume that users whose accounts were stolen were new or technically na ve users who must be sharing their passwords or clicking on suspicious links. That's simply not the case.

What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don't understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. We see around 77,000 accounts hijacked and pillaged each month. These are not new or na ve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.

We can help users who've been hacked by restoring their accounts and items, but that doesn't deter the business of hacking accounts. It's only getting worse.



How we can stop it


We've worked to improve account security features, closed loopholes, improved how and when we message users that their account is at risk, added self-locking, and created the Steam Guard Mobile Authenticator (two-factor authentication).

Two-factor authorization is the use of a separate device to confirm your identity. The security of this system is based on moving that step from your PC to a device a hacker can't access, such as your smartphone. PCs can be easily compromised, therefore a PC-based authenticator would not provide better security than a password or email authentication.

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.



Here's the tradeoff


At this time, most people have not protected their account with this increased level of security. Many don't believe that they are actually a worthwhile target for a hacker who's out to make money. Some felt they were smart enough about security to not need two-factor authorization. And other users knew they needed it, but couldn't use it due to reasons beyond their control, like not having access to a mobile phone.

So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn't enabled two-factor authentication, we tried removing their ability to profit from the theft. If hackers couldn't move the stolen goods off the hacked account, then they couldn't sell them for real money, and that would remove the primary incentive to steal the account. Hackers fundamentally rely on trading to offload stolen goods. The Steam Community Market doesn't work well for that purpose, because purchases can't be moved around as quickly (purchased items can't be traded for 7 days), and they can't ensure the items move to an account they control.

One option proposed was to simply remove trading. The Steam Market already accounted for the vast majority of virtual goods exchanged by Steam users. We even generate revenue off those transactions, which helps cover the cost of fraud, unlike person-to-person trades. And removing trading was by far the easiest solution to implement. But we felt that was a bad choice for users. Another easy choice would have been to require two-factor authentication for trading, but that's bad for the same reasons as removing it entirely. It's important that you can give a friend a TF2 weapon when he comes to try out the game, or give a friend the last trading card she needs to craft a game badge.

We felt that two-factor authentication was secure enough that it would protect anyone who enabled it, so the problem was the accounts that couldn't enable it (e.g. no mobile phone access). In the end, we arrived at the changes we're deploying today:

  • Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.

  • If you've been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.

  • Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.


This means that anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. This gives both Steam and users the time to discover their accounts have been hacked and recover it before the hackers can steal their items.



A difficult balance


Once again, we're fully aware that this is a tradeoff with the potential for a large impact on trading. Any time we put security steps in between user actions and their desired results, we're making it more difficult to use our products. Unfortunately, this is one of those times where we feel like we're forced to insert a step or shut it all down. Asking users to enter a password to log into their account isn't something we spend much time thinking about today, but it's much the same principle - a security cost we pay to ensure the system is able to function. We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.

Hopefully this post has given you some insight into the problem, and why we've taken this approach. As always, we'll continue to read the community's discussions throughout the Steam forums and the web at large, and we look forward to hearing your thoughts.
EVE Online - Valve
Save 10% to 75% on EVE Online during this week's Midweek Madness*!

Save 75% on Start Pack and Content Packs, 50% on the Premium Edition and 10% on Aurum and Plex.

*Offer ends Thursday at 4PM Pacific Time
Victor Vran ARPG - Valve
Save 50% on Victor Vran during this week's Midweek Madness*!

Victor Vran is the isometric action-RPG where your skill is just as essential as your character build and gear. Experience intense combat action: dodge, jump and unleash powerful skills to finish off your enemies!

*Offer ends Friday at 10 AM Pacific Time
...